Nicolas Ross wrote: > In my nat table I have: > > -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp --dport 22 \ > -j DNAT --to-destination e.f.g.h:8022 The source address for the ssh connection is still 192.168.7.x so the return packets from the ssh daemon don't need to go through the router and thus don't get nat'ed back. You need to double-nat, ie. add a second rule: -A POSTROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp --dport 8022 \ -j DNAT --to-destination $ROUTER_IP_LAN $ROUTER_IP_LAN is the address of the router on the 192.168.7.0/24 net. Toby
